On Tue, 27 Oct 2020 22:36:38 +0100
Pierre Emeriaud <petrus.lt+open...@gmail.com> wrote:
> Howdy misc@,
>
> I have a fairly complicated setup with lots of interfaces, a couple of
> rdomains etc.
>
> I'd like wireguard to listen only on an IP address, not all. But if my
> understanding of ifconfig(8) is correct, this doesn't seem possible
> currently:
>
> wgport port
> Set the UDP port that the tunnel operates on. _The
> interface will bind to INADDR_ANY and IN6ADDR_ANY_INIT._
>
> I guess this the reason for the following behaviour?
>
> $ doas ifconfig wg0 wgport 53
> ifconfig: SIOCSWG: Address already in use
> (the error message is generic I guess - but confusing imho)
>
> $ netstat -natfinet | grep 53
> tcp 0 0 127.0.0.1.53 *.*
> LISTEN udp 0 0 127.0.0.1.53 *.*
>
> $ netstat -T1 -natfinet | grep 53
> udp 0 0 127.0.0.1.53 *.*
>
> Is there a way to circumvent this restriction? (is there a reason
> behind it maybe?)
A lot has been said already, however I should clarify things.
wg(4)'s primary goal is to provide a secure network tunnel. We have no
desire to obfuscating or manipulating traffic to bypass restrictive
firewalls, which appears to be what you want to use port 53 for.
Why INADDR_ANY (and IN6ADDR_ANY_INIT)? We listen on all interfaces to
discard any notion of trusting IP addresses and rely entirely on the
crypto to authenticate packets. This ties directly the "roaming" feature
of WireGuard [1]. As Theo mentioned we don't want to monitor for
addressing changes, so INADDR_ANY is correct.
Why no configuration knob for bind address? Well, this is a "simple"
VPN and prides itself on minimising unnecessary configuration while
still achieving it's primary goals. Allowing configuration of the bind
address opens a whole can of complexity worms, including configuration
failure modes and security issues that we don't have consensus on. The
behaviour exhibited on wg(4) is also consistent with implementations of
WireGuard on other platforms. This has been discussed before: [2][3].
Finally, if you want to continue using port 53, bind wg first, then
unwind. Alternatively rdr-to rules will work and I'm guessing your
didn't do any debugging to figure out why your rules weren't working as
expected. If your goal is to bypass restrictive firewalls, you may also
want to add ports 123, 4500, 5060 to your redirect rules, but keep in
mind you're abusing software in ways it wasn't designed for so support
is minimal. I imagine it would look something like the following (with
wg(4) listening on port 53535 on the same rdomain):
pass in on $wan proto udp to (self) \
port { 53, 123, 4500, 5060 } rdr-to 127.0.0.1 port 53535
Cheers,
Matt
[1] https://www.wireguard.com/#built-in-roaming
[2] https://lists.zx2c4.com/pipermail/wireguard/2017-May/001280.html
[3] https://lists.zx2c4.com/pipermail/wireguard/2018-June/003013.html
